Microsoft has posted patches that will fix vulnerabilities in Site Server and Internet Information Server (IIS). Site Server and IIS could potentially expose sensitive data on corporate Web sites.
The patches correct security risks posed by three Active Server Pages viewer files, which could let Web surfers navigate through a server's directory structure and even into the NT system files.
Scott Culp, security product manager for Microsoft, says the updated file viewers will prevent that sort of navigation. Culp also emphasized that administrators should lock down access rights to any sensitive files to prevent the .asp viewers from getting those files. The viewers, which only let users view files not change or create new ones, are subject to Windows NT file permission Access Control Lists.
In addition to the patches for Site Server 3.0 and IIS 4.0, Microsoft posted a security checklist so administrators can test those servers.
The viewer files-showcode.asp, viewcode.asp and codebrws.asp-give anyone with a Web browser access to unrestricted files on the server. These viewers are provided to let users view source code of sample files as a teaching tool, they are not intended to be deployed on production servers. The files are copied to the server when a default installation is used for Site Server. They are not installed by default in IIS.
